A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a number of different services, operating systems (or operating system versions) and communication protocols. Each of the different services, operating systems and communication protocols may expose the network to different security vulnerabilities. A malicious user or “hacker” may exploit these security vulnerabilities to gain unauthorized access to, disrupt or generally attack the network.
Typically, techniques for detecting these network attacks use pattern matching. In particular, an Intrusion Detection and Prevention (“IDP”) device may reside at an edge of a network and be statically configured or provisioned to apply regular expressions or sub-string matches to detect defined attack patterns within data streams entering the network. Some networks may feature more or less security vulnerabilities that require the IDP device to be statically provisioned to identify and/or prevent more or less attacks.
When a conventional IDP device is deployed to protect a plurality of networks or sub-networks, often the IDP device is statically provisioned to apply a set of security services in order to identify and/or prevent all of the known network attacks capable of exploiting any of the security vulnerabilities of the least secure one of the plurality of networks. In this respect, the IDP device apply services so as to identify and/or prevent attacks that attempt to exploit security vulnerabilities not present in the other more secure networks of the plurality of networks. In this way the network featuring the most security vulnerabilities may therefore directly influence the number of different security services the IDP device is statically configured to apply in an attempt to identify and/or prevent all of the different types of network attacks within all data streams processed by the IDP device regardless of whether each particular stream is directed to the most vulnerable network or not.
Because the IDP device may be statically configured to apply network security services that attempt to identify attacks in data streams that are destined for networks that are invulnerable to such attacks, the IDP device may introduce certain network inefficiencies. That is, IDP device resources may be unnecessarily wasted to identify and/or prevent these attacks even though the attacks may ultimately be unsuccessful due to the nature of the secure network to which the packets are destined. These network inefficiencies may become particularly noticeable during times of high network congestion, when for example, the IDP device may not be able to process the high-levels of network traffic. Under such circumstances, the network inefficiencies may introduce delay or prevent the delivery of the packets. Thus, by being statically provisioning the IDP device to identify and/or prevent attacks for the lowest common denominator of networks or network devices, e.g., the least secure or most vulnerable network, the IDP device may, during times of high network congestion, compromise network connectivity.